Pending members are emailed about posts


(Allen - Watchman Monitoring) #1

As of v1.5.0.beta10 +105 users who have applied for an account, but are still pending review are getting emailed about user posts.

The users show as

Approved? No
Active? No

but still have ‘user posted’ emails in the logs.


How best to flag security related issues?
(Allen - Watchman Monitoring) #2

How is it OK for someone who’s requested access to a private site to getting emails about its content?

Here are two pending users… just because the top one has validated the email address (by using google SSO in this case) doesn’t mean its OK for emails to be sent.


(Dean Taylor) #3

Have you checked to see the type of email that’s been sent?

Perhaps just a password reset email?

I’m not even sure if these are counted - but just wanted to put the thought out there.


(Allen - Watchman Monitoring) #4

When I opened the this topic, the logs showed that the user was receiving emails due to user posting & digest.

In this case, the b1000 user in the image only shows a forgot password email, but then, there’s been no posting for about a week now.

will report back once there’s been some action, and update this topic if either user gets an email.


(Allen - Watchman Monitoring) #5

Yes, the activated, but pending, user got an email :thumbsdown:


(Allen - Watchman Monitoring) #6

Is there a security tag on Meta that I could apply to this bug?

should there be?


(Robin Ward) #7

I have no good excuse for why this fell through the cracks but thank you very much for bringing it up again.

Here is a fix, backported to all branches:


(Jeff Atwood) #8